LinuxSoft


PortSentry ˴ؤܸ

PortSentry äƲ

IDS ȤƤ Snort ͭ̾ǤSnort ϤޤǥͥåȥۥȤФ뿯ΡΤΥεϿΤߤǤĤˤϴƤޤäȤ⽽ʬޤ

Ф PortSentry Ͽʥݡȥˤ"ޤˤ"Ȥơľ iptables ǥե륿󥰤»ܤ뵡ǽƤޤɬפȤѤ Dos Ԥ褦ʥޥɤ¹ԤǤޤġĤ侩Ƥޤ󡢤Ǥ͡ˡ

̾ΥݡȤФ륢åݡȥ󡢥ƥ륹ˤбƤޤ򤤤ΤϴƻоݤΥݡȤ츫Ƥ褦˸뤳ȡȱƤ褦˸ơľ˥ͥåȥǤץ(iptablesʤ)¹ԤޤԤ餹ȡ졩ݡȤƤϤʤΤ˲αʤʤȥ饤餵뤳ȤŪǤʥɥȤˤޤˡġľܤPortSentry README ܸ

URL

http://sourceforge.net/projects/sentrytools/

Common Public License, GNU General Public License (GPL)

PortSentry Υ󥹥ȡ

Υ󥹥ȡ Red Hat Linux 7.3 ǹԤޤǶ REHL Fedora Core ǤƱͤˡǥåȥåפǤȻפޤ

ޤϥ֤μŸǤΤϤ«Ǥ͡

$ wget http://jaist.dl.sourceforge.net/sourceforge/sentrytools/portsentry-1.2.tar.gz
$ tar xfz portsentry-1.2.tar.gz
$ cd portsentry_beta

ե portsentry_config.h Խޤ

$ vi portsentry_config.h

󥹥ȡ hosts.deny եΥѥγǧǤɸΤޤäѹʤѤ뤳Ȥˤޤ

#define CONFIG_FILE "/usr/local/psionic/portsentry/portsentry.conf"
#define WRAPPER_HOSTS_DENY "/etc/hosts.deny"
#define SYSLOG_FACILITY LOG_DAEMON
#define SYSLOG_LEVEL LOG_NOTICE

portsentry.conf ǸоݤȤݡȤꤷޤ

TCP_PORTS="1,11,15,79,111,119,143,540,635,(ά),49724,54320"
UDP_PORTS="1,7,9,69,161,162,513,635,640,641,(ά),32774,31337,54321"

äѹǥեȤΤޤ޻ȤȤˤޤ

лͥåȥǤˡ iptables ȤȤˤޤ206 ܤ˰ưƳԤΥȤơiptables Υѥ /sbin/iptables ˽ޤ

# iptables support for Linux
KILL_ROUTE="/sbin/iptables -I INPUT -s $TARGET$ -j DROP"

route ޥɤȤä /sbin/route add xxx.xxx.xxx.xxx reject ǤⵡǽϤޤman ɤȥեȤƤϻȤʡȤΤǡľ iptables ȤȤˤޤ

ϴƻоݳȤۥȾϿǤ

$ vi portsentry.ignore

ե򳫤ơIP ɥ쥹⤷ϥͥåȥܥ֥ͥåȥޥϰϤꤷޤϼʬ³Ķ򵭽ҤƤޤȡ³ǤʤʤäƤޤޤʤȺΤǡɬʬδĶɲäƤޤ礦

127.0.0.1/32
0.0.0.0

ޤǤơ褦䤯ѥǤmake ȤĤȡȤɽޤ

$ make
Usage: make <systype>
<systype> is one of: linux, debian-linux, bsd, solaris, hpux, hpux-gcc,
freebsd, osx, openbsd, netbsd, bsdi, aix, osf, irix, generic

This code requires snprintf()/vsnprintf() system calls
to work. If you run a modern OS it should work on
your system with 'make generic'. If you get it to
work on an unlisted OS please write us with the
changes.

Install: make install

NOTE: This will install the package in this
      directory: /usr/local/psionic 

Edit the makefile if you wish to change these paths.
Any existing files will be overwritten.

ФƤޤΥƥ Red Hat Linux ʤΤǡmake linuxפȤƥѥ뤷ޤ

$ make linux
# make install

ɬפ˱ե /usr/local/psionic/portsentry/portsentry.conf ǧԽޤ

Ǹ˵ưޤTCP UDP ƻоݤȤΤ -tcp -udp ΥץĤĤΥǡƯޤ

# /usr/local/psionic/portsentry/portsentry -tcp
# /usr/local/psionic/portsentry/portsentry -udp

ps ޥɤʤưƤǧǤޤ

$  ps ax | grep port
25267 ?        S      0:00 /usr/local/psionic/portsentry/portsentry -tcp
25269 ?        S      0:00 /usr/local/psionic/portsentry/portsentry -udp

Ǹ˥еư PortSentry ⼫ưư褦˵ҤԤޤ

# vi /etc/rc.d/rc.local

ե򳫤˰ʲεҤɲäޤ

# PortSentry
/usr/local/psionic/portsentry/portsentry -tdp
/usr/local/psionic/portsentry/portsentry -udp

PortSentry ưǧ

ǡεư /var/log/messages ˥åɽޤtail /var/log/messages ưǧ

Jul 24 21:13:37 nsx portsentry[25266]: adminalert: PortSentry 1.2 is starting.
Jul 24 21:13:37 nsx portsentry[25267]: adminalert: Going into listen mode on TCP port: 1
Jul 24 21:13:37 nsx portsentry[25267]: adminalert: Going into listen mode on TCP port: 11
ĹΤά
Jul 24 21:13:39 nsx portsentry[25269]: adminalert: Going into listen mode on UDP port: 54321
Jul 24 21:13:39 nsx portsentry[25269]: adminalert: PortSentry is now active and listening.

ƯƤ褦Ǥʤnetstat -na ¹Ԥȡ빽ԴѡĥäƤޤäƴư¿Ǥޤ

Ǥϡºݤ˥åߤƤߤޤ

ϳΥۥȤ顣

$ telnet nsx.pocketstudio.jp 143
Trying 210.128.158.225...
Connected to nsx.pocketstudio.jp.
Escape character is '^]'.
* OK [CAPABILITY IMAP4REV1 LITERAL+ SASL-IR LOGIN-REFERRALS STARTTLS  
LOGINDISABLED] nsx.pocketstudio.jp IMAP4rev1 2004.349 at Sun, 24 Jul 2005
21:16:12 +0900 (JST)
001 LOGOUT
* BYE nsx.pocketstudio.jp IMAP4rev1 server terminating connection
001 OK LOGOUT completed
Connection closed by foreign host.

ä¤äƤʤΤǤϡ

դĤΥץȥ餫ʡɥȤˤ̤̿ɤϼ̤Ǥäƽ񤤤ƤäΤǡǤϰ㤦ݡȤ򤿤Ƥߤ롣

$ telnet nsx.pocketstudio.jp 111
Trying 210.128.158.225...
Connected to nsx.pocketstudio.jp.
Escape character is '^]'.
Connection closed by foreign host.

á줿ɤǤߤȡġĤФä򸡽Фơ /etc/hosts.deny ؤɲä iptables ǥѥåȤ DROP ȤϿ

Jul 24 21:20:27 nsx portsentry[25316]: attackalert: Connect from host:
 sv.pocketstudio.jp/210.239.46.254 to TCP port: 111
Jul 24 21:20:27 nsx portsentry[25316]: attackalert: Host 210.239.46.254
 has been blocked via wrappers with string: "ALL: 210.239.46.254"
Jul 24 21:20:27 nsx portsentry[25316]: attackalert: Host 210.239.46.254
 has been blocked via dropped route using command: "/sbin/iptables -I 
INPUT -s 210.239.46.254 -j DROP"

/etc/hosts.deny ե򳫤Ƥߤȡˤȹ⸵(210.239.46.254) ξɲäƤޤ

ALL: 210.239.46.254

iptables Ǥ -L ץĤƤߤȡѥåȤ DROP (Ѵ)꤬ȿǤƤޤХåꡣ

# /sbin/iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  sv.pocketstudio.jp   anywhere
(ά)

dzΥݡȥ󤬤äƤ⼫ưŪ˼ǤƤǧǤޤ⤷ɤ뤳ȤäƤ⡢ʤ¿Ǥ͡ŵŪǤɡޤߤȤϥݡȥǤƤݡȤĴ٤꤫Ϥޤ顢ˤĤƤ PortSentry ǼưӽƤǤ礦

¾ˤ⤤ʵǽΤǡܤ README ˤʤäƤ

PortSentry README

PortSentry README ܸ


ȥå   Խ ʬ Хåå ź ʣ ̾ѹ   ñ측 ǽ   إ   ǽRSS
Last-modified: Mon, 24 May 2010 20:32:21 JST (2193d)